command authorization failed

Answered Question
Oct 17th, 2007
User Badges:

I have turned on the aaa command authorization without applying adequate privileges to the user. I can now login through that user but the ASA 5510 displays an error :

============================

EUKFW2# show running-config

^

ERROR: % Invalid input detected at '^' marker.

ERROR: Command authorization failed

============================


I am unable to make any configuration changes on the firewall. Is there any default user through which I can login and disable the aaa authorization ? if not, how can I resolve this situation ?

Correct Answer by Jagdeep Gambhir about 9 years 6 months ago

Please check this link,


http://www.ciscotaccc.com/kaidara-advisor/security/showcase?case=K10386224


Please rate helpful posts


Regards,

~JG



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (2 ratings)
Loading.
Jagdeep Gambhir Wed, 10/17/2007 - 12:30
User Badges:
  • Red, 2250 points or more

No there is no default user. To make him login you need to make changes in the command author set.


Make one command autho set in acs --->shared profile components.


add-->give any name "Full access "---> Put radio button to permit and submit.


Now go to that group-->Under Shell Command Authorization Set---> Choose--->Assign a Shell Command Authorization Set for any network device and select FULL ACCESS from list and submit apply.


Now it should let you in.


Caution : This is let that uses to issue all commands


Find attached the way to set up command authorization.


Trick here is to give all user prov lvl 15 and then apply command autho set.


Having Priv lvl 15 does not mean that user will be able to issue all commands. User will only be able to issue commands that you have listed.


Regards,

~JG


Please rate if helps



csco11029214 Wed, 10/17/2007 - 12:47
User Badges:

Thanks for the attachments, I have had a look at them but the problem is that the changes you specified are made through HTTP browser and my firewall was not fully configured hence it can not be connected through HTTP nor SSH nor Telnet, so the only option I have is the console on which it is connected :(


Regards,

Murtaza

Jagdeep Gambhir Wed, 10/17/2007 - 12:49
User Badges:
  • Red, 2250 points or more

You need to make these changes in tacacs server and not in ASA.




csco11029214 Wed, 10/17/2007 - 12:54
User Badges:

Ok, but I did not configure the aaa authorization to use TACACS server, I set it to use LOCAL. Can I disable the authorization from ROMMON ? Actually I just want to disable the aaa command authorization on the ASA so that I can login to the user mode directly and then the EXEC mode with the password I set during the setup.

csco11029214 Thu, 10/18/2007 - 11:51
User Badges:

JG, thanks for that, I though so that might be the only solution. One question though, the last column of that table has my problem and the solution it suggests it "Log in and reset the passwords and aaa commands." but the problem is when I login, I am only able to login by the locked out user so I can not fire any commands, not even the password change so should I enter the setup of the firewall (ROMMON) to reset the password and does the ROMMON accept all the configure commands ?


Regards,

Murtaza

csco11029214 Thu, 10/18/2007 - 14:00
User Badges:

Thank you, I think that URL has guided me to the corrective solution.


Regards,

Murtaza

Actions

This Discussion